By Thomas E. RicksThomas E. Ricks covered the U.S. military from 1991 to 2008 for the Wall Street Journal and then the Washington Post. He can be reached at ricksblogcomment@gmail.com.

July 30, 2015

By Haley Peters
Best Defense guest columnist

In the realm of cyber, awash in anonymity and ambiguity, the 2013 APT1 report was a game changer.

The report attributed seven years worth of sustained cyber espionage on 140 companies to a single building in Shanghai — it named a specific organization (the People’s Liberation Army), its military unit cover designator (61398) and public identity (“second bureau, third department of the general staff directorate of the PLA”), and even a Google Earth image of its headquarters on Datong Road in the Pudong New Area of Shanghai.

Companies now knew who was attacking. But how to respond?

Last week at AEI, Richard Bejtlich — a senior security advisor at FireEye, and part of the team that released APT1 — along with Paul Tiao, a partner at Hunton & Williams, and Senator Cory Gardner (R-CO), Chairman of the Senate Foreign Relations Committee Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, took on that question.

The good news is that now, two years after APT1, in the wake of attacks on Sony, Target, JP Morgan Chase, Anthem Healthcare, and most recently OPM, developing strategies for dealing with cyber threats has raced to the top of agendas in Washington.

As Gardner noted, the Senate plans to vote on two cyber security bills before the August recess — the Cybersecurity Information Sharing Act (CISA), to increase sharing of public and private data on hackers, and the Federal Cybersecurity Enhancement Act, to require agencies to adopt cybersecurity best practices and speed the implementation of the government’s anti-hacking shield “Einstein.”

He also floated the possibility of a select committee on cyber, comprised of the various chairmen of the Senate Armed Forces, Foreign Relations, Homeland Security, and Commerce committees along with the slew of subcommittees dealing with cyber.

China has such a committee, Gardner added, with President Xi himself at the helm, to centralize control over all things cyber.

For the private sector, Bejtlich and Tiao noted, solutions necessarily involve organizational change, requiring understanding and buy-in from the C-suite level as well as the reorganizing of boards and reshaping of management structures and information security policies.

And costs — especially for smaller companies — can be prohibitive.

Each of the 140 companies targeted by Unit 61398 would have needed a team of 40 to 50 people to prevent a breach. In the event one happened, attorneys would have to interpret 47 different state versions of data breach notification laws; communications team would have to shape the message about the security of the company’s information; and a security contractor would have to come root out bad actors in the network.

It’s here that the U.S. government can help, they added, to reduce costs for companies, create deterrence against cyber attacks, and impose sanctions for these attacks.

We do have tactics.

In response to the North Korea Sony hack, the President issued an executive order allowing the Treasury Department to impose sanctions on cyber hackers that pose a threat to “national security, foreign policy, or economic health or financial stability of the United States.” And last year the Justice Department filed indictments against five PLA hackers who targeted U.S. Steel, Westinghouse, and others.

What’s needed, though, is a more comprehensive strategy.

We are just now beginning to learn the capabilities and MOs of our cyber adversaries. We have already learned that our defense is not up to par. And we ought to know that there is a whole lot we don’t know — how do we align our means and ends, how do we match our offensive and defensive abilities, what lines we will and won’t cross. Time to get to work.

Haley Peters is a recent graduate of Duke University and an intern this summer at New America’s International Security Program. When not researching and writing on foreign policy and national security, she is a professional basketball player in Europe. This year she will play for C.B. Conquero Huelva.